fix(k8s/amour): gazelle

container/smartmontools/BUILD.bazel

@@ -5,7 +5,7 @@ load("@io_bazel_rules_docker//docker/package_managers:install_pkgs.bzl", "instal
 download_pkgs(
     name = "pkgs",
     image_tar = "@io_docker_index_library_debian_bookworm_slim//image",
-    packages = ["smartmontools"],
+    packages = ["dropbear"],
 )
 
 install_pkgs(
@@ -19,6 +19,6 @@ install_pkgs(
 container_image(
     name = "image",
     base = ":pkgs_image.tar",
-    entrypoint = ["smartctl"],
+    entrypoint = ["dropbear"],
     visibility = ["//visibility:public"],
 )

k8s/amour/backup/breakfast/service_list.cue

@@ -60,4 +60,15 @@ import "k8s.io/api/core/v1"
 		selector: "app.kubernetes.io/name": "\(#Name)-syncthing"
 		type: v1.#ServiceTypeLoadBalancer
 	}
+}, {
+	metadata: name: "\(#Name)-ssh"
+	spec: {
+		ports: [{
+			name:       "ssh"
+			port:       22
+			targetPort: "ssh"
+		}]
+		selector: "app.kubernetes.io/name": "\(#Name)-ssh"
+		type: v1.#ServiceTypeLoadBalancer
+	}
 }]

k8s/amour/backup/breakfast/statefulset_list.cue

@@ -82,4 +82,62 @@ import (
 		}]
 		serviceName: metadata.name
 	}
+}, {
+	metadata: name: "\(#Name)-ssh"
+	spec: {
+		// replicas: 0
+		selector: matchLabels: "app.kubernetes.io/name": "\(#Name)-ssh"
+		template: {
+			metadata: labels: "app.kubernetes.io/name": "\(#Name)-ssh"
+			spec: {
+				volumes: [{
+					name: "data"
+					persistentVolumeClaim: {
+						claimName: #Name
+						readOnly:  true
+					}
+				}, {
+					name: "ssh"
+					configMap: name: "ssh"
+				}]
+				containers: [{
+					name:  "ssh"
+					image: "ghcr.io/uhthomas/uhthomas/dropbear@sha256:e5a81546704ca3cf6c2ffcad46153adc3e827c3ac143a9e588c838acf7221708"
+					command: ["dropbear"]
+					args: ["-RFE", "-p2222"]
+					ports: [{
+						name:          "ssh"
+						containerPort: 2222
+					}]
+					resources: limits: {
+						(v1.#ResourceCPU):    "1"
+						(v1.#ResourceMemory): "2Gi"
+					}
+					volumeMounts: [{
+						name:      "data"
+						mountPath: "/data"
+					}, {
+						name:      "ssh"
+						mountPath: "/root/.ssh/authorized_keys"
+						subPath:   "authorized_keys"
+					}]
+					imagePullPolicy: v1.#PullIfNotPresent
+					securityContext: {
+						capabilities: drop: ["ALL"]
+						readOnlyRootFilesystem:   true
+						allowPrivilegeEscalation: false
+					}
+				}]
+				securityContext: {
+					runAsUser:           1000
+					runAsGroup:          3000
+					runAsNonRoot:        true
+					fsGroup:             2000
+					fsGroupChangePolicy: v1.#FSGroupChangeOnRootMismatch
+					seccompProfile: type: v1.#SeccompProfileTypeRuntimeDefault
+				}
+			}
+		}
+		serviceName: metadata.name
+	}
 }]